SELECTING CYBERSECURITY RISK IDENTIFICATION AND ASSESSMENT APPROACHES FOR CRITICAL INFRASTRUCTURE

Abstract

Critical infrastructure is essential for the successful functioning of societies, while cybersecurity ensures its resilience. To this end, risk identification and continuous assessment are crucial. Managers employ various methods, models, frameworks, standards, guidance, tools, and procedures for these tasks. Hundreds of these approaches for cybersecurity risk identification and assessment exist, differing widely in scope, design, requirements, and implementation. Previous research has reviewed these approaches, examined the contexts in which they operate, and provided guidance on their selection. However, despite the pressing need to secure critical infrastructure and previous work in the field, little is known about which CSRI&A approaches cybersecurity managers use or the reasons behind their choices. My findings indicate that while NIST and ISO-related approaches are common choices, most managers utilize multiple methods, often pairing NIST or ISO approaches with specialized options, such as NERC CIP, or more flexible ones like CIS 18. Custom approaches are also prevalent.This study is a two-stage mixed-methods design consisting of 22 semi-structured interviews that informed a survey of 216 participants. All were cybersecurity managers, ranging from middle management to C-suite executives, representing all 16 of the US CISA-designated critical infrastructure sectors. Using a novel conceptual framework that synthesizes theories from technology adoption, decision-making, and information behavior, I assessed whether managers selected their approaches based on fundamental, functional, or situational differences. Results demonstrated the framework’s utility, particularly in capturing the multidimensional nature of approach selection through construct unions. Situational context emerged as a consistent modifier in most decision-making processes. Three additional themes regarding approach selection emerged from the analysis. First, consultants play a pivotal role in the development, selection, and often implementation of these approaches. Second, there is a disconnect between the types of risk measurement preferences that managers express as ideal and what they actually use. Third, the compatibility between approaches matters, given that most managers employ more than one approach. These three themes also drive the need for creating custom solutions. To triangulate these findings and address the complexity of multivariate data, I developed a method using association rules to construct thematic profiles based on managerial and organizational traits that co-occur with each approach use. Analyzing the 23 main approaches identified in the study, managers revealed distinct selection differences based on managerial level, involvement of internal or third-party accounting and finance teams, cyber insurance requirements, and individual perspectives on issues such as price value and the absence of effective approaches for operational technologies. By enhancing understanding of approach selection, I aim to improve management decision-making strategies, raise awareness for approach development, and strengthen cybersecurity risk information-sharing programs. This advances the field by focusing on high-level managers as individual decision-makers whose choices influence both their own work and broader cybersecurity practices within their organizations, thereby bridging the gap between individual agency and organizational outcomes. By empirically examining the actions and perspectives of these individuals, my study provides new insights into how managerial discretion and context interact to shape risk management strategies at the organizational level. My practical aim is to offer innovative profile-based support to managers to improve their approach selection process. This will also inform developers of new approaches and the consultants who recommend them.